9. Mitre ATT&CK Navigator and… how wrong
people could be about Penetration Testing
https://mitre-attack.github.io/attack-navigator/enterprise/
10. Audit and Assessment
Assessment Audit
Framework or standard Framework or standard
Gaps between AS IS and TO BE Gaps between AS IS and TO BE
Snapshot in time A historic period
Compliance of controls Compliance and/or effectiveness of controls
May provide guidance May provide direction, not guidance
Evidence and observation Hard evidence
Can be DIY Cannot be DIY
Requires some subject matter expertise Doesn’t really require subject matter expertise
11. Why do we need all four
and when we need them?
12. Compliance Business Risk
Security Baseline Technology Risk
Time
covered
Space covered
Self-assessment
Qualified 3rd party assessment
Internal audit
External audit
Security testing
Application pentest
Vulnerability assessment
Infrastructure pentest